What is Akira ransomware?
Akira ransomware gained prominence in 2023 with its outrageous extortion tactics and ransom demands. It is alleged to be affiliated with the Conti ransomware group and gained attention in the ransomware community for the name Akira, which is inspired by a 1988 anime film.
Akira employs unique attack tactics to strike enterprises and uses devious negotiation techniques to extract lucrative payments. It primarily targets Windows and Linux systems and employs double extortion to exfiltrate and encrypt sensitive data. As of January 2024, reports suggest that the group has targeted over 250 different organizations and received more than $42 million in ransom payments.
Timeline of Akira ransomware activities
Here is a timeline of the Akira ransomware group's operations and activities from 2023 to 2024:
- March 2023
Akira ransomware is introduced. - April 2023
The Akira RaaS group releases a Linux variant. - August 2023
The group launches a new variant called Megazord. - January 2024
Akira makes headlines for extorting $42 million in ransom proceeds. - October 2024
Akira develops a Rust variant for targeting ESXi servers.
Akira ransomware victims
Akira ransomware has impacted over 250 organizations in North America, Europe, and Australia across a wide range of industries. According to Akira’s leak site data released in 2023, approximately 80% of the victims are small to medium-sized businesses (SMBs).
How Akira ransomware works
- Akira ransomware gains initial access through VPN services that lack multi-factor authentication (MFA). It exploits critical and known vulnerabilities in VPNs like Cisco, SonicWall, and Fortinet to enter the target network.
- It uses Advanced IP Scanner to discover other vulnerable devices in the network to propagate the infection.
- It employs tools like Mimikatz and LaZagne for credential harvesting, and creates new domain accounts and administrative accounts to escalate privileges and establish persistence.
- As Akira prepares for lateral movement, it uses PowerTool to terminate antivirus-related processes to evade detection by security solutions.
- It uses legitimate desktop support software, such as AnyDesk, to obtain remote access to victim systems. There, it sets up the command and control channel and launches the payload.
- Akira employs double extortion tactics and exfiltrates sensitive files in victim devices before encryption.
- It then encrypts the files using Chacha20 and RSA encryption. The encrypted files usually hold the extension .akira but when infected by the Megazord variant, the files carry the extension .powerrangers.
- The ransomware also deletes the volume shadow copies of the files on the infected device via PowerShell scripts to hinder file recovery and restoration.
- Finally, it displays the ransom note with its exorbitant ransom demands along with instructions to the victims.
Akira data leak site
The Akira data leak site is Tor-hosted and accessed with a .onion URL. Victims are given a unique identifier and directed to the site from the ransom note. Once the victim enters the portal, they're demanded a ransom that must be paid in Bitcoin to the attacker's cryptocurrency wallet. If a victim fails to comply with the ransom demands, the attacker releases the victim's details along with the stolen data to the leak site.
Akira ransomware IoCs
Here is a list of malicious files affiliated with Akira ransomware:
| IoC | Description |
| w.exe | Akira ransomware |
| Win.exe | Akira ransomware encryptor |
| Akira_v2 | Akira version 2 ransomware |
| Megazord | Akira Megazord ransomware |
Source: CISA
Third-party tools used by Akira ransomware
Here is a list of third-party tools leveraged by Akira ransomware during attacks:
| Third-party tool | Usage |
| Advanced IP Scanner | Discovers vulnerable devices in the network. |
| Mimikatz | Obtains authentication credentials like Kerberos tickets. |
| LaZagne | Recovers stored passwords on Windows and Linux systems. |
| AnyDesk | Gains remote access to the command and control server. |
| PowerShell | Deletes volume shadow copies of encrypted files. |
Source: CISA
How to protect against Akira ransomware
- Employee education: Create awareness among employees on the impact of ransomware and provide training to identify phishing emails, anomalous processes, and malicious executables.
- MFA: Implement MFA for all user accounts, VPN accounts and application services and enforce strong password policies.
- Vulnerability testing: Conduct vulnerability scans on all network devices, software, and applications, and update their security configurations regularly.
- Risk assessment: IT teams should conduct periodic risk assessments and estimate the risk scores of all users and entities to detect suspicious behavior.
- Data backup and encryption: Back up files with sensitive data and ensure the safety of the original files and their backups using data encryption techniques.
Related solutions
ManageEngine Log360 is a comprehensive SIEM solution with advanced ransomware detection and mitigation capabilities. Log360 stands out as one of the best ransomware protection solutions, offering these powerful features:
- 360-degree network visibility: Log360 provides complete visibility into the network through out-of-the-box audit reports and interactive dashboards on a single console.
- Ransomware detection: Predefined correlation rules and alert profiles for ransomware detection help identify potential ransomware activities in real time.
- User and entity behavior analytics: With its ML-based behavior monitoring capabilities, Log360 detects anomalous activities in the network to identify potential signs of a ransomware attack.
- File monitoring: Log360's file integrity monitoring feature helps monitor unauthorized file accesses, creations, deletions, and modifications to protect sensitive data from ransomware.
- Cloud app security: Log360's CASB capabilities helps block suspicious websites and ban malicious applications to secure sensitive cloud data from ransomware threats.
- Ransomware incident response: The ransomware detection alert profiles include built-in incident response workflows that, when enabled, prevent the propagation of ransomware attacks.
To explore more, sign up for a personalized demo of Log360. Or, you can discover its powerful capabilities with a fully functional, 30-day, free trial.
